Security Bulletin #102
False positives can be more costly than a malware infection
Poor business decisions can be very costly, especially in cybersecurity, where labeling clean items as malicious – so-called false positives – can have very damaging consequences. In the cybersecurity universe, everything revolves around one basic question: is the detected sample malicious or clean? With a growing number of clients in its global network, the number of items that need to be evaluated increases along with the risk of causing so-called false positives (FPs). In cybersecurity, this term describes the errors when a protection solution incorrectly labels clean items as malicious. This leads to them being quarantined, blocked or deleted. Now, not every false positive necessarily means total collapse for a business’s IT infrastructure. Some errors only have a minor impact on daily operations and can be resolved by adding a simple exception. But other glitches can disrupt business continuity and thus potentially be even more destructive than an actual malware infection. So how can a business achieve equilibrium, where it protects itself from malicious items and minimizes false positives to a manageable level? It would be easy to achieve 100% detection or 0% false positives, but it is impossible to have both at the same time. Some IT environments require 24/7 monitoring, and a responsible person who can react almost instantaneously to any suspicious activity or security notification. In restrictive environments – such as bank employee terminals, with identical devices running only a limited set of applications – admins can opt for whitelisting. This allows them to create a detailed list of authorized actions and software. Anything off the list gets blocked, regardless of whether it is clean or malicious. The most effective way to protect general-purpose systems, networks and/or endpoints is to deploy a well-tuned security solution (with high detection ratio and a false positive rate close to zero) and to supervise it with experienced administrator(s) who can take care of the rare cases when FPs occur.
Microsoft plugs crazy bad bug with emergency patch
Microsoft released a critical out-of-band security update for the Microsoft Malware Protection Engine, to plug an easily exploitable bug that could allow remote attackers to compromise target Windows machines. The vulnerability can be exploited to execute arbitrary code in the security context of the LocalSystem account. This would allow attackers to take control of the target system, install programs, view, change, or delete data, create new accounts with full user rights, and so on. To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.
SOCs are maturing, but need more automation
Security operations centers (SOCs) are growing up, according to a new SANS survey. Respondents indicate the SOC’s primary strengths are flexibility of response and response time, while their biggest weakness is lack of visibility into events. Although the survey indicates that SOCs need more automation, particularly for prevention and detection, it also shows that they are maturing and utilizing a mixture of cloud and internal-based SOC services. Today’s SOCs have a broad range of capabilities, with 91% providing prevention capabilities through network IDS/IPS, 86% providing detection capabilities through network IDS/IPS, and 77% providing response capabilities through EDR (endpoint detection and response), to name just the highest-rated capabilities.
CERTFR-2017-ALE-009 : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)
CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)
CERTFR-2017-ALE-006 : Multiples vulnérabilités dans Siemens RUGGEDCOM ROX I (29 mars 2017)
CERTFR-2017-ALE-005 : Vulnérabilité dans les commutateurs Cisco (20 mars 2017)
CERTFR-2017-AVI-142 : Vulnérabilité dans Mozilla Firefox (09 mai 2017)
CERTFR-2017-AVI-141 : Multiples vulnérabilités dans le noyau Linux de Suse (09 mai 2017)
CERTFR-2017-AVI-140 : Multiples vulnérabilités dans SCADA les produits Siemens (09 mai 2017)